Security Incidents mailing list archives
New scanning tool?
From: "Portnoy, Gary" <gportnoy () BELENOSINC COM>
Date: Fri, 23 Mar 2001 12:48:07 -0500
Hey there, In the last two days I noticed a peculiar scan with a signature i had not encoutered before. This scan seems to be a combination SNMP/NBT scan. Strange combination, I know. Maybe somebody knows what it is. First thing is a ping sweep, and at the same time a UDP packet to port 161 to all the addresses. Now, the machines that respond to the ping, get a subsequent UDP packet to port 137. The SNMP packet is resent 2 more times every 5 seconds in the first instance I encountered. The SNMP packet is resent 6 times in the second scan with this pattern: 2 second pause, 4 second pause, 2 second pause, 4 second pause, etc. Unfortunately SNORT didn't capture anything, I wish portscan plugin could log packets to a file, so I don't know what the SNMP string was, or what was the payload in the NBT packet... Ideas? -Gary- Gary Portnoy Network Administrator gportnoy () belenosinc com PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C
Current thread:
- New scanning tool? Portnoy, Gary (Mar 23)
- Re: New scanning tool? Wozz (Mar 23)